The Impact of the Surge of Biometric Data Privacy Lawsuits Against Employers

Since July 2017, there have been a surge of lawsuits brought against employers under the Illinois Biometric Information Privacy Act (BIPA) in Illinois courts. More than 30 class action lawsuits have been brought against employers of such companies as United Airlines Inc., Intercontinental Hotels Group, Hyatt Corp., Bob Evans Restaurants, Speedway LLC, and others for their use of biometric data in the workplace.

Although the details of each individual case may vary, the plaintiffs often allege that the employer failed to comply with the requirements of BIPA when they used fingerprint-operated machines to record employees' work hours. The growing acceptance of biometric data as a form of identification for employees means that many employers will likely have to face either these or similar issues in the immediate future.

The Illinois Biometric Information Privacy Act (BIPA)

In 2008, Illinois passed the BIPA, which provided rules for the collection and use of biometric data. Organizations must provide written notice to their employees prior to the collection of any biometric identifier. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Only after obtaining the written consent can organizations begin their collection activities. Once they have collected biometric data, the BIPA requires organizations to protect that data in the same manner it would protect other sensitive and confidential information using the reasonable standard of care in its industry. And, the BIPA requires organizations to have a publicly available, written policy stating how long the organization will retain the data and rules governing the destruction of that data.

The BIPA prohibits organizations from selling or profiting from the biometric data they collect. It also prohibits organizations from disclosing biometric data unless (1) they obtain consent; (2) the disclosure completes a financial transaction requested by the individual; (3) the disclosure is required by federal, state or municipal law; or (4) the disclosure is required by a valid warrant or subpoena.

The BIPA provides a private right of action for violations of the statute and entitles a prevailing party to statutory damages for each violation equal to the greater of $1,000 or actual damages for negligent violations and the greater of $5,000 or actual damages for intentional or reckless violations.

The plaintiffs in the BIPA employer lawsuits allege that the employers violated the BIPA by failing to provide notice to their employees concerning the companies' use, retention and destruction of fingerprint data and/or obtain consent from their employees before collecting and using the fingerprint data. In at least one case, the plaintiff alleged that the employer violated the BIPA by improperly disclosing and sharing the information with a third party.

The BIPA employer lawsuits may have a significant impact on future biometric data privacy statutes. Currently, the landscape for statutes governing biometric data is fairly sparse. There is no federal statute that regulates the collection, use, retention and destruction of biometric data, and only two states (other than Illinois) have enacted biometric data statutes.

Biometric Data Privacy Laws for Texas and Washington

Texas enacted a biometric data privacy law, similar to the BIPA, shortly after the passage of the BIPA. The Texas law required informed consent by individuals before organizations could begin collecting biometric identifiers. However, the consent did not need to be written. The Texas biometric data privacy law also imposed limitations on the sale of biometric information and included security and retention requirements. Unlike the BIPA, only the Texas Attorney General can enforce the Texas biometric data privacy law as the law does not provide a private right of action.

This year, Washington State enacted its own biometric data privacy statute. The Washington statute defines “biometric identifiers” as “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” Perhaps in response to the BIPA lawsuits based on the collection and use of facial scans, Washington's definition of “biometric identifiers” expressly excludes “physical or digital photograph, video or audio recording or data generated therefrom.”

Washington's biometric data privacy law applies only to biometric identifiers that are “enrolled” in a commercial database, which is defined as “captur[ing] a biometric identifier of an individual, convert[ing] it into a reference template that cannot be reconstructed into the original output image and stor[ing] it in a database that matches the biometric identifier to a specific individual.” Organizations may not enroll a biometric identifier unless they provide notice and obtain consent.

Like the Texas biometric data privacy law, the Washington statute imposes limitations on the sale, leasing and disclosure of biometric data to third party and establishes security and retention requirements. The Washington statute also does not provide a private right of action. Only the Washington Attorney General can bring an action enforce to enforce the statute under the Washington Consumer Protection Law.

The Shape of Future Biometric Data Privacy Laws

Given the growing prevalence and importance of biometric data, several state legislatures are considering legislation that would regulate its collection, use and retention. The Alaska, Connecticut, Montana and New Hampshire legislatures all have pending bills governing biometric data. The bills in Alaska, Montana and New Hampshire require that notice be given and consent obtained before biometric data is collected, used or retained. These three bills also have requirements for the retention, disposal and/or security of this data. The Connecticut bill simply prohibits the use of facial recognition for marketing purposes. The Alaska and New Hampshire bills provide for a private right of action; while, the Connecticut and Montana bills do not.

The BIPA employer litigation may give states that are considering or in the process of drafting their own biometric data privacy laws some pause. In light of the multitude of class action lawsuits that have been filed, states may either reconsider the scope of their proposed biometric data privacy laws or the wisdom of even enacting such laws. States wishing to attract businesses might be concerned that the potential liability from biometric data privacy laws may act as a deterrent. States may also be concerned that potential liability may discourage businesses currently residing in their states from adopting cutting edge technology that employs biometric information.

If states do decide to adopt biometric data privacy laws, the scope of those laws may not be as broad as the BIPA. Like the Texas and Washington laws, future biometric data privacy laws may not provide for a private right of action. Only the State Attorney General Office or the Office/Bureau of Consumer Protection in a state may be able to bring an action to enforce the law.

Even if states do provide a private right of action, they may include exemptions or exceptions in the law that narrow it. For example, just as the Washington statute expressly excluded physical or digital photographs and video or audio recordings from its purview, future biometric data privacy laws enacted by states could exclude biometric data collected for noncommercial, administrative purposes from their reach.

Tips for Employers Responding to Biometric Data Privacy Laws

Even as other states grapple with the question of whether to adopt biometric data privacy laws, employers with operations in Illinois, Texas or Washington should consider taking the following steps where appropriate to protect against potential lawsuits.

First, employers should consider providing written notice to their employees and obtaining the written consent of their employees before they collect, use or store the biometric data of those employees. Such a notice should describe the type of biometric data that is being collected, the specific purpose of the collection, and the time period during which the biometric data will be collected, used and stored.

Second, employers should also think about developing and implementing a policy about the retention and disposal of biometric data.

Third, employers should contemplate protecting the biometric data that they collect in at least the same manner as other sensitive and confidential information. This includes using reasonable safeguards, such as encryption, in the storage or transmittal of this information.

Fourth, employers who use third parties in the collection or storage of biometric data should weigh conducting appropriate diligence on these third parties as necessary to ensure that they adhere to the same standards of security. Employers should also consider including these third parties in the notice and consent provided to employees.

Fifth, employers should look at adopting safeguards to prevent the sale, lease or sharing of the biometric data that they collect from their employees where required. Adopting a compliant policy can go a long way in avoiding or, at least, mitigating potential liability. However, it should also be noted that courts have rejected BIPA claims which were based on procedural violations of the statute and which failed to allege any actual injury.

Hanley Chew is Of Counsel in the Litigation Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and data driven companies. Eric Ball is a partner in the Litigation Group with Fenwick & West. He focuses his practice on complex commercial litigation and trademark disputes for technology and gaming companies.

Since July 2017, there have been a surge of lawsuits brought against employers under the Illinois Biometric Information Privacy Act (BIPA) in Illinois courts. More than 30 class action lawsuits have been brought against employers of such companies as United Airlines Inc., Intercontinental Hotels Group, Hyatt Corp., Bob Evans Restaurants, Speedway LLC, and others for their use of biometric data in the workplace.

Although the details of each individual case may vary, the plaintiffs often allege that the employer failed to comply with the requirements of BIPA when they used fingerprint-operated machines to record employees' work hours. The growing acceptance of biometric data as a form of identification for employees means that many employers will likely have to face either these or similar issues in the immediate future.

The Illinois Biometric Information Privacy Act (BIPA)

In 2008, Illinois passed the BIPA, which provided rules for the collection and use of biometric data. Organizations must provide written notice to their employees prior to the collection of any biometric identifier. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Only after obtaining the written consent can organizations begin their collection activities. Once they have collected biometric data, the BIPA requires organizations to protect that data in the same manner it would protect other sensitive and confidential information using the reasonable standard of care in its industry. And, the BIPA requires organizations to have a publicly available, written policy stating how long the organization will retain the data and rules governing the destruction of that data.

The BIPA prohibits organizations from selling or profiting from the biometric data they collect. It also prohibits organizations from disclosing biometric data unless (1) they obtain consent; (2) the disclosure completes a financial transaction requested by the individual; (3) the disclosure is required by federal, state or municipal law; or (4) the disclosure is required by a valid warrant or subpoena.

The BIPA provides a private right of action for violations of the statute and entitles a prevailing party to statutory damages for each violation equal to the greater of $1,000 or actual damages for negligent violations and the greater of $5,000 or actual damages for intentional or reckless violations.

The plaintiffs in the BIPA employer lawsuits allege that the employers violated the BIPA by failing to provide notice to their employees concerning the companies' use, retention and destruction of fingerprint data and/or obtain consent from their employees before collecting and using the fingerprint data. In at least one case, the plaintiff alleged that the employer violated the BIPA by improperly disclosing and sharing the information with a third party.

The BIPA employer lawsuits may have a significant impact on future biometric data privacy statutes. Currently, the landscape for statutes governing biometric data is fairly sparse. There is no federal statute that regulates the collection, use, retention and destruction of biometric data, and only two states (other than Illinois) have enacted biometric data statutes.

Biometric Data Privacy Laws for Texas and Washington

Texas enacted a biometric data privacy law, similar to the BIPA, shortly after the passage of the BIPA. The Texas law required informed consent by individuals before organizations could begin collecting biometric identifiers. However, the consent did not need to be written. The Texas biometric data privacy law also imposed limitations on the sale of biometric information and included security and retention requirements. Unlike the BIPA, only the Texas Attorney General can enforce the Texas biometric data privacy law as the law does not provide a private right of action.

This year, Washington State enacted its own biometric data privacy statute. The Washington statute defines “biometric identifiers” as “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” Perhaps in response to the BIPA lawsuits based on the collection and use of facial scans, Washington's definition of “biometric identifiers” expressly excludes “physical or digital photograph, video or audio recording or data generated therefrom.”

Washington's biometric data privacy law applies only to biometric identifiers that are “enrolled” in a commercial database, which is defined as “captur[ing] a biometric identifier of an individual, convert[ing] it into a reference template that cannot be reconstructed into the original output image and stor[ing] it in a database that matches the biometric identifier to a specific individual.” Organizations may not enroll a biometric identifier unless they provide notice and obtain consent.

Like the Texas biometric data privacy law, the Washington statute imposes limitations on the sale, leasing and disclosure of biometric data to third party and establishes security and retention requirements. The Washington statute also does not provide a private right of action. Only the Washington Attorney General can bring an action enforce to enforce the statute under the Washington Consumer Protection Law.

The Shape of Future Biometric Data Privacy Laws

Given the growing prevalence and importance of biometric data, several state legislatures are considering legislation that would regulate its collection, use and retention. The Alaska, Connecticut, Montana and New Hampshire legislatures all have pending bills governing biometric data. The bills in Alaska, Montana and New Hampshire require that notice be given and consent obtained before biometric data is collected, used or retained. These three bills also have requirements for the retention, disposal and/or security of this data. The Connecticut bill simply prohibits the use of facial recognition for marketing purposes. The Alaska and New Hampshire bills provide for a private right of action; while, the Connecticut and Montana bills do not.

The BIPA employer litigation may give states that are considering or in the process of drafting their own biometric data privacy laws some pause. In light of the multitude of class action lawsuits that have been filed, states may either reconsider the scope of their proposed biometric data privacy laws or the wisdom of even enacting such laws. States wishing to attract businesses might be concerned that the potential liability from biometric data privacy laws may act as a deterrent. States may also be concerned that potential liability may discourage businesses currently residing in their states from adopting cutting edge technology that employs biometric information.

If states do decide to adopt biometric data privacy laws, the scope of those laws may not be as broad as the BIPA. Like the Texas and Washington laws, future biometric data privacy laws may not provide for a private right of action. Only the State Attorney General Office or the Office/Bureau of Consumer Protection in a state may be able to bring an action to enforce the law.

Even if states do provide a private right of action, they may include exemptions or exceptions in the law that narrow it. For example, just as the Washington statute expressly excluded physical or digital photographs and video or audio recordings from its purview, future biometric data privacy laws enacted by states could exclude biometric data collected for noncommercial, administrative purposes from their reach.

Tips for Employers Responding to Biometric Data Privacy Laws

Even as other states grapple with the question of whether to adopt biometric data privacy laws, employers with operations in Illinois, Texas or Washington should consider taking the following steps where appropriate to protect against potential lawsuits.

First, employers should consider providing written notice to their employees and obtaining the written consent of their employees before they collect, use or store the biometric data of those employees. Such a notice should describe the type of biometric data that is being collected, the specific purpose of the collection, and the time period during which the biometric data will be collected, used and stored.

Second, employers should also think about developing and implementing a policy about the retention and disposal of biometric data.

Third, employers should contemplate protecting the biometric data that they collect in at least the same manner as other sensitive and confidential information. This includes using reasonable safeguards, such as encryption, in the storage or transmittal of this information.

Fourth, employers who use third parties in the collection or storage of biometric data should weigh conducting appropriate diligence on these third parties as necessary to ensure that they adhere to the same standards of security. Employers should also consider including these third parties in the notice and consent provided to employees.

Fifth, employers should look at adopting safeguards to prevent the sale, lease or sharing of the biometric data that they collect from their employees where required. Adopting a compliant policy can go a long way in avoiding or, at least, mitigating potential liability. However, it should also be noted that courts have rejected BIPA claims which were based on procedural violations of the statute and which failed to allege any actual injury.

Hanley Chew is Of Counsel in the Litigation Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and data driven companies. Eric Ball is a partner in the Litigation Group with Fenwick & West. He focuses his practice on complex commercial litigation and trademark disputes for technology and gaming companies.